diff options
| author | Hans-Joerg Hoexer <hshoexer@cvs.openbsd.org> | 2005-07-23 20:44:37 +0000 |
|---|---|---|
| committer | Hans-Joerg Hoexer <hshoexer@cvs.openbsd.org> | 2005-07-23 20:44:37 +0000 |
| commit | 9fa25e1b5512e9f19c909c96d7aedd5a6b7259ad (patch) | |
| tree | ead223a1135c41c6d03cd8641c7c4d7fa4c598fa /sbin/ipsecctl | |
| parent | f439c15110b3a11f4d222267ac6f50f0b61efa8b (diff) | |
document automatic generation of reverse SA rules.
Diffstat (limited to 'sbin/ipsecctl')
| -rw-r--r-- | sbin/ipsecctl/ipsec.conf.5 | 16 |
1 files changed, 13 insertions, 3 deletions
diff --git a/sbin/ipsecctl/ipsec.conf.5 b/sbin/ipsecctl/ipsec.conf.5 index b9cb972f122..f2c1224d496 100644 --- a/sbin/ipsecctl/ipsec.conf.5 +++ b/sbin/ipsecctl/ipsec.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ipsec.conf.5,v 1.11 2005/07/10 07:56:56 jmc Exp $ +.\" $OpenBSD: ipsec.conf.5,v 1.12 2005/07/23 20:44:36 hshoexer Exp $ .\" .\" Copyright (c) 2004 Mathieu Sauve-Frankel All rights reserved. .\" @@ -131,6 +131,16 @@ The parameter .Ar spi is a 32-bit value defining the Security Parameter Index (SPI) for this SA. The key to be used is a hexadecimal string of arbitrary length. +For both +.Ar spi +and +.Ar key +it is possible to specify two values separated by a colon. +.Xr ipsecctl 8 +will then generate the matching incoming SA using the second values for +.Ar spi +and +.Ar key . .El .Pp For details on how to enable TCP MD5 signatures see @@ -152,8 +162,8 @@ flow esp out from 192.168.7.0/24 to 192.168.8.0/24 peer 192.168.3.12 flow esp in from 192.168.8.0/24 to 192.168.7.0/24 peer 192.168.3.12 # Set up keys for TCP MD5 signatures -tcpmd5 from 192.168.3.14 to 192.168.3.27 spi 0x1000 key 0xdeadbeef -tcpmd5 from 192.168.3.27 to 192.168.3.14 spi 0x1001 key 0xbeefdead +tcpmd5 from 192.168.3.14 to 192.168.3.27 spi 0x1000:0x1001 \\ + key 0xdeadbeef:0xbeefdead .Ed .Sh SEE ALSO .Xr ipsec 4 , |